CNA 210 | Ch. 4, Advanced Cryptography and PKI
code signing
A _________ digital certificate is used by software developers to digitally sign a program to prove that the software comes from the entity that signed it and no unauthorized third party has altered or compromised it.
hierarchical
A __________ trust model assigns a single hierarchy with one master CA called the root. The root signs all digital certificate authorities with a single key.
cipher suite
A ___________ is a named combination of the encryption, authentication, and message authentication code algorithms that are used with SSL and TLS.
domain validation
A _______________ digital certificate verifies the identity of the entity that has control over the domain name.
web of trust
A less secure trust model that uses no CA is called the ___________ model and it is based on direct trust.
key space
All the possible values for a specific key make up its ___________.
key recovery agent (KRA)
Some CA systems have an embedded key recovery system in which a ___ is designated, who is a highly trusted person responsible for recovering lost or damaged digital certificates.
Secure Real-Time Transport Protocol (SRTP) Real-Time Transport Protocol (RTP)
The ____ has several similarities to S/MIME. Just as S/MIME is intended to protect MIME communications, this protocol is a secure extension protecting transmissions using the ___. This protocol is often used with VoIP technology.
domain validation extended validation (EV) wildcard subject alternative names (san)
The book lists four domain digital certificates, name three of them.
user root
The endpoint of a certificate chain is the _____ digital certificate. The beginning point is a specific type of digital certificate known as a ____ digital certificate.
Certificate Revocation List (CRL)
The first means of checking to see if a digital certificate has been revoked, is by using a ___, which is a list of certificate serial numbers that have been revoked.
Counter (CTR)
___ block operation mode requires that both the message sender and receiver access a counter, which computes a new value each time a ciphertext block is exchanged.
Secure Shell (SSH)
___ is a Linux/Unix-based command interface and protocol for securely accessing a remote computer.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
______ is a protocol for securing email messages. It allows users to send encrypted messages that are also digitally signed.
C. Online Certificate Status Protocol (OCSP)
__________ performs a real-time lookup of a digital certificate's status. A. Certificate Revocation List (CRL) B. Real-Time CA Verification (RTCAV) C. Online Certificate Status Protocol (OCSP) D. CA Registry Database (CARD)
Block cipher mode of operation
__________________________ specifies how block ciphers should handle each block of plaintext that's been separated and made ready for encryption.
certificate policy (CP)
A __ is a published set of rules that govern the operation of a PKI.
Subject Alternative Name (SAN)
A ___ digital certificate, also known as Unified Communications Certificate (UCC), is primarily used for Microsoft Exchange servers or unified communications.
Salt
A ____ is a value that can be used to ensure plaintext, when hashed, will not consistently result in the same digest.
nonce (number used once)
A _____ is an input value that must be unique within some specified scope, such as for a given period or for an entire session.
wildcard
A ______ digital certificate is used to validate a main domain along with all subdomains.
direct third-party
A ______ trust exists between two individuals who know one another personally, they've met and could recognize the other in a crowd. A ___________ trust refers to a situation in which two individuals trust each other because each trusts another party.
machine
A _______ digital certificate is used to verify the identity of a device in a network transaction.
digital certificate
A ________________ is a technology used to associate a user's identity to a public key and that has been digitally signed by a trusted third party.
cryptographic key
A _____________________ is a value that serves as input to an algorithm, which then transforms plaintext into ciphertext.
crypto service provider
A ______________________ allows an application to implement an encryption algorithm for execution.
C. Certificate Repository (CR)
A centralized directory of digital certificates is called a(n) _________. A. Digital Signature Permitted Authorization (DSPA) B. Digital Signature Approval List (DSAP) C. Certificate Repository (CR) D. Authorized Digital Signature (ADS)
B. The user's identify with his public key
A digital certificate associates ___________ A. A user's public key with his private key B. The user's identify with his public key C. A user's private key with the public key D. A private key with a digital signature
certificate practice statement (CPS)
A more technical document than a CP called a ___, describes in detail how the CA uses and manages certificates.
stapling
A variation of OCSP is called _______ OCSP, where web servers send queries to the Responder OCSP server at regular intervals to receive a signed time-stamped OCSP response.
D. Certificate Policy (CP)
A(n) _______ is a published set of rules that govern operation of a PKI. A. Signature Resource Guide (SRG) B. Enforcement Certificate (EF) C. Certificate Practice Statement (CPS) D. Certificate Policy (CP)
Basic Encoding Rules (BER) Canonical Encoding Rules (CER) Distinguished Encoding Rules (DER)
All X.509 certificates follow the ITU-T X.690m which specifies one of three different encoding formats: ___, ___, and ___.
object identifier (OID)
An ___ names an object or identity, and are made up of a series of numbers separated with a dot, such as 1.2.840.113582, and they correspond to a node in a hierarchy tree structure.
An _____ digital certificate allows a user to digitally sign and encrypt mail messages.
pinning
An additional digital certificate verification method is _______, in which a digital certificate is hard-coded within the app that is using the certificate.
Extended Validation (EV)
An enhanced type of domain digital certificate is the __ certificate. This requires more extensive certification of the legitimacy of the business.
C. Certificate authority (CA)
An entity that issues digital certificates is a __________. A. Certificate signatory (CS) B. Digital signer (DS) C. Certificate authority (CA) D. Signature authority (SA)
Kerckhoffs's principle
Auguste Kerckhoffs, a Dutch linguist and cryptographer, published what is known as the __________________, which were six design standards for military ciphers.
self-signed
Because there is no higher-level authority than that of a CA, root digital certificates are _________ and do not depend upon any higher-level authority for authentication.
C. Is the management of digital certificates
Public key infrastructure (PKI) ___________. A. Generates public/private keys automatically B. Creates private key cryptography C. Is the management of digital certificates D. Requires the use of an RA instead of a CA
character-set key-length
The formula for determining a given key space for symmetric algorithms is ____________________.
Creation Suspension Revocation Expiration
The life cycle of a certificate is typically divided into four parts. What are the four parts and in which order do they occur?
Electronic Code Book (ECB)
The most basic block cipher mode is ___ mode. Using this method, the plaintext is divided into blocks, and each block is then encrypted separately.
International Telecommunications Union (ITU) Telecommunication Standardization Sector (ITU-U). X.509
The most widely accepted digital certificates are defined by a division of the ___ known as the _____. There digital certificates adhere to the _____ standard.
certificate chaining
The process of verifying that a digital certificate is genuine depends upon ________________. This links several certificates together to establish trust between all certificates involved.
D. Digital certificate
The strongest technology that would assure Alice that Bob is the sender of a message is a(n) _________. A. Digital signature B. Encrypted signature C. Digest D. Digital certificate
Confidentiality Authentication Key management
There are three areas of protection that correspond to three IPsec protocols, identify them.
key strength
There are three primary characteristics that determine the resiliency of the key to attacks, this is called ___________.
A. TLS v1.2
Which of these is considered strongest cryptographic transport protocol? A. TLS v1.2 B. TLS v1.0 C. SSL v3.0 D. SSL v2.0
C. Authorization
Which of these is not part of the certificate life cycle? A. Expiration B. Revocation C. Authorization D. Creation
A. To verify the authenticity of the Registration Authorizer
Digital certificates can be used for each of these EXCEPT _____________. A. To verify the authenticity of the Registration Authorizer B. Encrypt channels to secure communication between clients and servers. C. To verify the identify of clients and servers on the web D. To encrypt messages for secure email communications.
pre-master secret
During step three of a key exchange, the browser generates a random value named __________________, encrypts it with the server's public key, and then sends it back to the server.
Key Management ISAKMP/Oakley
IPsec provides three areas of protection that correspond to three IPsec protocols. The third is _____________. IPsec manages the keys to ensure that they are not intercepted or used by by unauthorized parties. For IPsec to work, the sending and receiving devices must share a key. This is accomplished through a protocol known as ______________, which generates the key and authenticates the user using techniques such as digital certificates.
authentication Authentication Header (AH)
IPsec provides three areas of protection that correspond to three IPsec protocols. The first is ____________. IPsec authenticates that packets received were sent from the source. This is identified in the header of the packet and is accomplished using the __ protocol.
Confidentiality Encapsulating Security Payload (ESP)
IPsec provides three areas of protection that correspond to three IPsec protocols. The second is _________. By encrypting the packets, IPsec ensures that no other parties could view the contents. This is achieved through the ___ protocol.
Transport tunnel
IPsec supports two encryption modes. _______ mode encrypts only the data portion (payload) of each packet yet leaves the header unencrypted. The more secure _______ mode encrypts both the header and the data portion.
distributed
Instead of using a single CA, like with a hierarchical trust model, the ________ trust model has multiple CAs that sign digital certificates.
cryptoperiod
One of the characteristics that determines key strength is its ___________, or the length of time for which a key is authorized for use.
True
True or False? Salt is most commonly used in password-based systems.
additional authentication data (AAD)
Galois/Counter mode uses a counter like CTR, but it also adds a plaintext string called ___ to the transmission. This may contain the addresses and parameters of a network protocol that is being used.
transparent
IPsec is considered to be a _________ security protocol. This is because applications do not have to be modified to run under IPsec, users do not need to be trained on security procedures for it, and because when IPsec is implemented in a device like a firewall or router, no software changes are required on the local client.
Salt - 3 IV - 2 Nonce - 1
Match the input value to its corresponding rule. Salt Initialization Vector (IV) Nonce (1) Not required to be randomized & never repeated (2) Should be randomized & never repeated (3) Not required to be randomized & can be repeated
Hypertext Transport Protocol (HTTP) Hypertext Transport Protocol Secure (HTTPS)
One common use of TLS and SSL is to secure ____ communications between a browser and a web server. This secure version is called _____.
Secure Socket Layer (SSL)
One of the early and most widespread cryptographic transport algorithms is ___. The design goal was to create an encrypted data path between a client and a server that could be used on any platform or operating system.
Certificate Signing Request (CSR) Certificate Authority (CA)
To obtain a digital certificate a user must first generate public and private keys. The user must then complete a ___, a form which requires identifying information, such as name, address, email. etc.. This document is then sent to an intermediate __ for processing.
True
True or False? Although TLS v1.0 was considered marginally more secure than SSL v3.0, subsequent versions of TLS (v1.1 and v1.2) are significantly more secure.
False. ECB is not considered suitable for use
True or False? Although an older mode, ECB is considered a viable operation mode for use today.
True
True or False? Although sometimes it's more broadly defined, PKI should be understood as the framework for digital certificate management ONLY.
False. The cryptographic algorithm can not be altered.
True or False? Applications cannot manipulate the keys created by crypto service providers, but the cryptographic algorithm can be altered, allowing for key manipulation.
True
True or False? Cryptographers have often attempted to keep their algorithms or the workings of devices that encrypted or decrypted documents a secret, but this approach has always failed.
False. v1.2 is the current version (according to the book, 1.3 is the actual current)
True or False? Even though TLS v1.4 is the current version of Transport Layer Security, many websites continue to support older and weaker versions of TLS and SSL in order to provide the broadest range of compatibility for older web browsers.
False. It provides them to a wider range
True or False? IPsec provides protections to a more limited range of applications than SSL and TLS.
crypto modules
Typically, crypto service providers implement cryptographic algorithms, generate keys, provide key storage, and authenticate users by calling various __________ to perform specific tasks.
M-of-N control
Using __________ a user's private key is encrypted and divided into a specific number of parts. These parts are distributed to other individuals, with an overlap so that multiple people have the same part. If a key needs to be recovered, a smaller subset of the initial group will meet to discuss it.
.pem, .pfx, and .p12
What are the three X.509 file formats?
Randomness Length Cryptoperiod
What are the three primary key strength characteristics?
D. Crypto service provider
What entity calls in crypto modules to perform cryptographic tasks? A. Certificate Authority (CA) B. OCSP Chain C. Intermediate CA D. Crypto service provider
D. Salt
What is a value that can be used to ensure that hashed plaintext will not consistently result in the same digest? A. Algorithm B. Initialization Vector (IV) C. Nonce D. Salt
soft-fail
What is it called when a web browser cannot reach the OCSP Responder server?
Root
What other name might a certificate authority (CA) go by?
Master secret
When the browser and server have the same pre-master secret they can create this, which is used to create session keys.
Privacy Enhancement Mail (.pem)
Which X.509 file format is designed to provide confidentiality and integrity to emails using DER coding and can have multiple certificates?
.p12 (PKCS#12)
Which X.509 file format is single instance of a numbered set of 15 standards defined by the RSA Corporation. This file format is based on the RSA public key algorithm and uses both public and private keys.
Personal Information Exchange (.pfx)
Which X.509 file format is the preferred file format for creating certificates to authenticate applications or websites? It's password is protected because it contains both private and public keys.
B. Extended Validation (EV) Certificate
Which digital certificate displays the name of the entity behind the website? A. Online Certificate Status Certificate B. Extended Validation (EV) Certificate C. Session Certificate D. X.509 Certificate
D. Cipher Block Chaining (CBC)
Which of the following block ciphers XORs each block of plaintext with the previous block of ciphertext before being encrypted? A. Electronic Code Book (ECB) B. Galois/Counter (GCM) C. Counter (CTR) D. Cipher Block Chaining (CBC)
D. Variability
Which of the following is not a method for strengthening a key? A. Randomness B. Cryptoperiod C. Length D. Variability
A. It is designed for use on a large scale.
Which statement is NOT true regarding hierarchical trust models? A. It is designed for use on a large scale. B. The root signs all digital certificate authorities with a single key. C. It assigns a single hierarchy with one master CA. D. The master CA is called the root.
A. Bridge
Which trust model has multiple CAs, one of which acts as a facilitator? A. Bridge B. Hierarchical C. Distributed D. web
Initialization vector (IV)
__ is the most widely used algorithm and it may be considered as nonce with an additional requirement: it must be selected in a non-predictable way.
Galois/Counter Mode (GCM)
___ encrypts plaintext and computes a message authentication code to ensure the authenticity of the contents and the validity of the sender.
Public Key Infrastructure (PKI)
___ is a framework for all the entities involved in digital certificates for digital certificate management.
Transport Layer Security (TLS)
___ is another widespread cryptographic transport algorithm. SSL v3.0 serves as the basis for the initial version and is often used interchangeably with SSL.
Internet Protocol Security (IPsec)
____ is a protocol suite for securing Internet Protocol communications. It encrypts and authenticates each IP packet of a session between hosts or networks.
B. Key escrow
________ refers to a situation in which keys are managed by a third party, such as a trusted CA. A. Key authorization B. Key escrow C. Remote key administration D. Trusted key authority
B. Secure Shell (SSH)
_________ is a protocol for securely accessing a remote computer. A. Transport Layer Security (TLS) B. Secure Shell (SSH) C. Secure Sockets Layer (SSL) D. Secure Hypertext Transport Protocol (SHTTP)
B. Session Keys
__________ are symmetric keys to encrypt and decrypt information exchanged during the session and to verify its integrity A. Encrypted signatures B. Session Keys C. Digital certificates D. Digital digets